Hello all, I'm Craig Smith, the author of the Car Hacker's Handbook. I'm also the founder of Open Garages, a collective of mechanics, performance tuners, security researchers and artists. Also I'm a core member of I Am The Cavalry which is a non-profit outreach to help companies not make the mistakes of the past. I'm a security researcher by trade with a focus on automotive.

I will be here answering your questions on March 7th from 11-12:30 PST.

Hi Craig. Prominent automotive security researchers have gotten bad publicity for their safety practices. Two examples I think of are Miller and Valasek's Jeep hack demonstration for Wired and George Hotz's self driving car demonstration for Bloomberg.

I didn't see anything in your Car Hacker's Handbook about safety. What safety practices do you think a car hacker should follow? Is it okay to demonstrate proofs-of-concepts on public roads?

When doing something like car hacking, the media will want a demo...ALWAYS. The more sensational the better. This puts a researcher in a difficult spot because they have a message they want to get across to a wide audience. However, if you are doing this professionally then most of your research has been done on prototype vehicles or components. Obviously you can’t drag those up on stage or in front of a camera to demonstrate a hack on. That leaves you with a vulnerable vehicle that is currently deployed. I personally try to avoid showing an actual car at all costs because no matter how hard I try to explain not picking on a single vendor the story, it is always 'vehicle X is a deathtrap'. So I use test benches for most of my demos.

You can do a vehicle demo if you really want but do not do it on a public road. In the case of the Jeep hack it worked out because there wasn’t an accident. If there is an accident caused by you intentionally stalling a vehicle or your self-driving vehicle makes a mistake. You are liable. I’ve heard the argument that vehicles stall on the highway all the time, but the difference is that you caused that. And that is not only irresponsible but will land you in a LOT of trouble if you cause any type of accident.

What are some forms of automotive security we can try out without an expensive startup cost or the possibility of breaking something important on our cars? More simply, how does one cheaply break into this world?

In addition, what sorts of differences in approach do you take in, say, an application penetration test and an automotive penetration test?

The best place to get started is to play around with the CAN bus. This is a standard bus on your vehicle and is easily accessed via the OBD port. You can get a good sniffer like the CANtact for ~$50 and use open source tools to start dumping and analyzing packets. Linux comes builtin with CAN support. I also recommend building a testbench. A testbench is the core components you want to test (ECU, Infotainment, etc) simply wired up to power on a board. You can often get these parts from a junkyard fairly cheap.

The differences between an application assessment and an automotive assessment is that you are covering a lot of different specialties. You maybe doing an assessment on just a single component or an entire vehicle. When doing a whole vehicle you are covering: SDR, hardware, software, unique bus networks etc. There currently are no published tools that do vulnerability scanning but you will use parts of a lot of tools on different parts of a vehicle. This field is still new and tools are constantly evolving. As the tools evolve and as the vehicle gets more and more sophisticated software, you will likely see security scanners evolve as well.

There are two effective ways to raise awareness. One good method that is too often overlooked is to speak outside of your echo chamber. If you are doing new research on cars, go to an automotive convention to talk about security, NOT a security convention. If your goal is change, then you need to talk to the industry that is building the devices you are auditing.
The other method that works great is utilizing the press. The press is a great way to raise awareness. Often companies have security teams but they are underfunded or their message is getting drowned out. If a news report reaches a board member then that can change the scales in a good way. The downside is that using press can easily backfire. If you are too sensational, you may piss off the industry you are trying to help and they will stop listening to you, which is the opposite of what you originally intended. It can be very difficult to get the press to cover a story that doesn’t involve burning cars. But if you do it right, you can raise awareness and still have an industry listen and support you.

When I got started in security it wasn’t really a profession. It was a bunch of phone phreakers where were tinkering with whatever we could find and sharing info on BBS systems. Hacking is really your love for taking things apart and using your deductive reasoning skills. I got started in automotive security back in 2008. I bought a new car and it was my first car that had a touch screen interface with GPS, etc. I had a two hour commute from Cincinnati to Dayton at the time and the supplied software/OS quickly bored me. So I decided it would be great if I could make it play music videos. I had never hacked an IVI system or worked on vehicles previously, so the whole project was a unique experience. I documented my advenctures (the wiki is still up at Hive13. This got the attention of some research companies and I started to put more serious thought into vehicle security. Several years later and now it seems that’s all I do is vehicle security. The world is a funny place.

The mysterious black boxes, eh? This is a bit of old school lore. I know you are not talking about the airbag sensors but that is really where the crash data is. The “extra” pieces of info do not come from a secret black box but if you see something like that in a court case it can often be that the automanufacturer is providing some data that isn’t publicly known to be recorded. This often comes from the IVI (Infotainment) or Telematics unit or from the backend servers that these devices communicate with. Check out Berla to see a company that pulls this forensic evidence from IVI systems.

(1) IN GENERAL- Not later than 180 days after the date of enactment of this Act, the Secretary shall revise part 563 of title 49, Code of Federal Regulations, to require, beginning with model year 2015, that new passenger motor vehicles sold in the United States be equipped with an event data recorder that meets the requirements under that part.

So.... You are researcher in this area and calling it an urban legend??

I understand. But that's where this data is kept. The airbag sensor has evolved to an SDM airbag module. That module now is called the EDR. However, it's the same module it just now records more stuff. Some of the interesting things it includes are:

It’s not that dangerous to start playing around with your CAN bus system. Just don’t do it WHILE you are driving. The systems are resilient to bad data so it is safe and educational to just plug in a CAN sniffer and start looking around. I don’t think you have to worry about your car being hacked any time soon. Security researchers have done a good job raising awareness before these types of exploits have become widespread. So at the moment we are still ahead of the curve.

We can't secure a toaster, fridge, web cams, light switches, TV's, computers, servers, even when some of these are behind billion dollar companies, and of course even governments.

We've shown that throughout the years, even though we claim to put engineering time into security, that security fails.

The industry has proven time and again, that even automation in the smallest component of a car has shown to be untrustworthy, and further even the mechanical engineering outside of electrical is far from perfection with may fallacies.

Now, the industry is asking the population to depend on the security engineering of vehicles that we will be driving daily. Often and for most people, spending a third of their lifetime in these vehicular shells.

My question here is: What the fuck? And more importantly: How the fuck?

Calm down. Breathe. It’ll be ok. Yes, everything fails, it always has. As things become connected you add risk of … well, the entire internet. The Cavalry has a 5 star program that was targeted at automotive but it can be used with anything. It can also be viewed of the 5 ways of dealing with failure:

Are there any specific issues/practices within the vehicle manufacturing industry that lead to bad security?

For example, in this paper (PDF) the authors found vulnerabilities in code that "glued" third-party components to the vehicle's system. The authors claim that they found multiple vulnerabilities like this, indicating that manufacturers may not completely understand how third-party components function, leading them to write insecure software. The implication being that if the software had been built in-house, these errors may not have occurred.

The one practice that comes to mind that makes things very difficult for the auto manufactures to implement security is the use of their tier suppliers. Tier supplies provide all the components and modules used in a vehicle. They can come from a multitude of companies and this becomes a huge problem when it comes to managing security.

For each component supplier, you need to know how they handle security. You also need to come up with a system for updates of that component. You don’t want every component to have it’s own internet connection, so now you need to create a distributed package management system. Reporting issues to these component manufacturers can also be a huge pain. So when you say, ‘I found a bug in the 2016 X vehicle’ you are often saying that some component by some manufacturer has a bug in that car and several dozen others. Right now, there isn’t a database to lookup what part is deployed in which vehicles. This becomes a problem even for security researchers. We can’t just post a CVE saying which vehicles and versions are affected because we don’t have the info on how many different vehicles are using this component. Right now there is an effort to address this situation and hopefully it will eventually be cleared up.

There are several groups and organizations in the auto industry where the OEMs and Tier supplies share ideas. Some of these groups are run by SAE and others. GM is a good example of this situation. They have a bug bounty program. They are not a full blown program yet because they are taking their time to work out these exact kinks in handling vulnerability disclosures. What will shake out of all of this is a system to communicate and get things fixed without needing a recall.

I admittedly have more projects than I have time for. I will be releasing a new tool at Nullcon this week that can do a lot of automatic automotive research for you. It has a GUI and requires no previous knowledge of the vehicle to work. This is the first step into building a universal platform for reversing and performing audits on vehicles.

I try to use GUI’s that resemble gaming interfaces with my tools. In part because I think it’s fun but also to help address the issue of the media. My hope is, if you have something sexy enough for the media they will forget about trying to make you do something dangerous.

This is tangentially related, but what do you think about automated license plate readers, vehicle 2 vehicle or vehicle 2 grid communication systems? Would there be a way to jam/disable/obfuscate any of those systems to increase driver privacy?

Privacy with license plates is very tricky. ALPR libraries are common and easy to implement even in open source systems like ZoneMinder. If you are driving on a public road, through a parking lot or garage, you have no control of tracking from government or private residences. There isn’t much you can do about license plates.

Vehicle-to-vehicle (V2V) or Vehicle-to-Infrastructure (V2I) or Vehicle-to-anything (V2X) does have privacy built into its initial framework. They use a whole system of complicated certificates (butterfly keys) to help provide anonymity. I should point out that V2X isn’t required to track you car. You car emits all kinds of things (and so do you) such as: Tire Pressure sensor information, Bluetooth IDs, Cellular ID info, WiFi, Keyless entry signals, etc. You could use any wireless signal with an ID (or collection of them) to identify the car and what smartphones are in your car.

Based on your knowledge of automotive information security, do you feel comfortable driving a modern vehicle? What about being a passenger in one? How concerned should I be on my commute, and what can I do about it?

I prefer newer vehicles. They are at higher risk to hacking but the overall safety of new vehicles outweighs the hacking risks. Additionally, I am not as worried about self driving cars. Which sounds counter-intuitive I know. But think about it. Right now a vehicle receives a signal that says “Apply the brakes” and the car does it. So a hacker just needs to get on the vehicle and play that signal. But with self-driving cars they use multiple sensors for everything and the sensors don’t trust each other's output. That is the KEY difference. The trusted environment in a self-driving vehicle architecture is way smaller. It’s like using a human's 5 senses to determine an item. If you wish to fully trick a human you must fake all 5 sensors. Same goes with a vehicle, making it much hard to simply fool a single input.

Can you endorse any of the vendors? Not in a way of recommendation to buy any sort of the car, I am pretty sure every modern car is terribly dangerous in that regard. Maybe you could tell that company X has got a good security team and they are heading in the right direction?

I’m not big on endorsements. I try very hard to provide examples and demos that do not specify a specific vendor. What I much rather do than say “Trust me, X is a good car” is to provide tools or a method for you to make your own decision. This is still a work in progress, but today you can make several observations yourself as a consumer. Does your vehicle manufacturer have some type of security disclosure policy? Is there an email address or a bug bounty program? If so, then they have a security department that is actively fielding submissions and fixing problems before they are public. Do they have a privacy disclosure policy? Are they telling you what types of data is being collected and how to opt-out? All auto manufacturers are recording info but is your’s letting you know? Does your vehicle have an over the air update system? If so that’s a good thing! That means that if a bug is found they can push the change without you having to take off work to deal with a recall. Recalls are expensive so they only do those when the costs of damages exceeds a recall cost. If your car has OTA updates then you are much more likely to get fixes without having to wait for mass damages.

Not OP, but as a fellow interested party, from preliminary research GM might be a good place to start. They've formally announced a partnership with HackerOne (A reputable vulnerability crowd-sourcing entity) for bug bounties. - https://hackerone.com/gm

Excuse for not having a chance to read through the book, but when you are given a new car to hack, what is the first thing you do? Do you check for existing vulnerabilities found in other cars? If yes, what's the first one you check?

Typically I perform a threat model on either the vehicle or the component I've been given. I will build a testing plan off of that. If there are known issues from identified in other similar components I will of course test for them. I don't really have a goto vulnerability. Perhaps once this field evolves some more we will have a top 10 issues to look for, kind of thing.

I'm a fan. They have been very open about security and working with the community. There is always more to do and their are other auto makers also working on good security practices. I don't want to see the auto industry use security as yet another reason to say that company X is better than Y. It would be ideal if there was more open collaboration. I think that idea is spreading and hopefully all the automakers will be on the same page in terms of security soon.

Do you feel that automotive security is difficult for researchers to operate within because of the combination of knowledge of CAN bus protocols and ECIDs just to enter the space? Do you think there will be any mechanisms to allow security researchers to enter the domain more readily? Any recommendations for people just entering this domain?

I don't think it's difficult at all. I think it feels difficult because a lot of us simply feel we don't know cars. However, once you dig in a bit you see that it's just software and the bus network is crazy simple compared to TCP/IP. It is true, that if you want to cover the entire attack surface of a car you will want to know a bunch of different technologies. There are new tools being released for this space and IoT in general almost monthly that makes getting started even easier.

This is a newer area of research so a lot of the tools are not super friendly yet but they are getting there. Once you start I think you'll find it really isn't that hard.

Full-Time faculty member from Walsh College in Troy, MI... we are planning on using your book for our Connected Vehicle Cybersecurity Program.... I just wanted to say how much we appreciate you and your new book. It's wonderful to see someone with the same mindset of shared governance. We are truly blessed to have you in the community!

Hey Craig. I'm kind of a car guy in a sense that I like nice cars and like to tune/mod them to make them faster. You often read on the forums about an ECU being "locked" and that the tuning software companies are working on "unlocking" the ECU. What do this involve?

Is there encryption that they have to break? Are there new data protocols that have to be reverse engineered?

It seems that initially they have to physically open the ECU and connect to the actual circuit board. Then they end up being able to do the unlocking and flashing from an OBD2 port.

Where are some of the easier places to find, given any make & model, a car's wiring schematic/wire routing information?

For example the component layout that shows power chord that feeds an antenna of a car's radio/GPS, so someone could isolate a single with a opto-isolator/repeater to hopefully make a proxy, or, in the least a power switch that is resistant to surges induced by outside interference(surges in the signals strength, induced by many interfering signals like radio)?